To remain competitive, financial
institutions continually look for
ways to cut costs, attract new
customers, and boost revenues. Remote
deposit capture (RDC) technology helps
to streamline and improve the efficiency
of one area of bank operations: processing
check deposits. RDC allows financial
institution customers to “deposit” checks
electronically at remote locations, usually
in the customers’ offices, for virtually
instant credit to their account. Paper
checks are digitally scanned, and an
image of the check is electronically transmitted
to the customer’s bank.

Most RDC customers are merchants
who want to reduce the costs of transporting
paper checks to their financial
institution and gain faster access to their
funds. Funds from a paper check are typically
available within five business days.
However, with RDC, funds from checks
remotely deposited on Monday often are
available on Tuesday or Wednesday of
the same week—a significant financial
advantage to all businesses, particularly
for small- and medium-sized businesses.
Some banks are marketing RDC to
doctors and lawyers, two professions that
often receive payment for their services by check.1 Other types of businesses that
are customarily paid in cash or by credit
card, such as restaurants, would not
necessarily benefit from RDC.

This article discusses the development
and recent growth in the use of the RDC
technology, identifies risks to financial institutions that offer this service, and
highlights appropriate risk management
techniques described in recently issued
Federal Financial Institutions Examination
Council (FFIEC) guidance.

Background

The Check Clearing for the 21st
Century Act (Check 21 Act), which took
effect October 28, 2004, paved the way
for the development of RDC. The Check
21 Act created a new negotiable instrument
called a “substitute check,” which
is the legal equivalent of an original
check. A substitute check contains an
image of the front and back of the original
check that can be processed as the
original check.2 The customer transmits
this image electronically, usually via the
Internet, to the depository financial institution.
The substitute check is cleared
and settled electronically, thereby expediting
credit to the customer’s account.

First Tennessee Bank in Memphis was
one of the first financial institutions to
implement RDC. It introduced the “First
Deposit Plus” product3 in 2003 as a way
to expand its deposit base. As of March
2008, First Tennessee had customers
in 46 states using its RDC service.4 In
July 2007, Forrester Research, an information
technology research company,
reported that 88 percent of the top 25
U.S. banks were offering RDC to their
business customers.5 For example, Bank
of America, Citibank, and PNC offer
RDC to their commercial customers.6

As of year-end 2008, Celent, an international
financial services consulting firm,
estimated that two-thirds of all U.S. banks
were offering RDC services.7 And in
March 2008, the ABA Banking Journal
published the 12th Annual Community
Bank Competitiveness Survey, which
reported that 38 percent of the community
banks surveyed offered RDC, and
another 26 percent were planning to
offer the service by year-end 2008.The
survey noted that the adoption rate for
RDC is “much faster than we saw with
bank Web sites."8

For financial institutions using RDC, the
numbers are impressive. For example,
in 2008, Zions Bancorporation in Utah
and its affiliates reported that more than
11,000 customers were using their RDC
service, depositing more than $400
million daily. Zions reported adding 45
new RDC customers per week.9

Some banks offer RDC for free on the
condition that the customer maintains a
certain minimum deposit balance. Others
charge a fee, perhaps $60 a month.10 Specialized scanners record and transmit
images of the front and back of the
check being deposited.11 Scanners, which
cost between $225 and $2,500, can be
purchased by the customer or leased
from the financial institution as part of
the RDC service. One bank reports that
RDC costs less than $10,000 to implement,
well below the $300,000 minimum
capital cost of a new branch office.12

Although RDC offers considerable
benefits to financial institutions and their
customers, the service is not without
risks. For example, an institution no
longer has the opportunity to examine
the physical item being deposited, which
heightens risk in the check-clearing
process. The operational, legal, and
compliance risks associated with RDC
are discussed below, with particular
emphasis on the risk of fraud.

Managing RDC Risks

In response to the increasing use of
RDC, in January 2009, the FFIEC issued
guidance to help financial institutions
identify risks in their RDC systems
and evaluate the adequacy of controls
and risk management practices.13 The
guidance also should be useful to bank
examiners, especially those who may
be examining a bank offering RDC for
the first time. Examination procedures
targeting the use of RDC, which are
consistent with the guidance, are scheduled
to be published in a revised and
updated version of the FFIEC Retail
Payment Systems Booklet.14

The risks associated with the use of
RDC should be identified within the
financial institution’s overall risk assessment
process. The primary risk is the
potential for fraud. When an institution
takes a risk-sensitive function, in this
case accepting items for deposit and
credit to a customer’s account, and
allows it to be conducted outside the “trusted zone” that includes its internal
network and closed check-processing
environment, the risk of fraud increases.
A financial institution can control what
occurs on its internal network or in its
check-processing facility, including the
implementation of fraud prevention
processes, but it cannot exert the same
control over items deposited remotely.

The FFIEC guidance identifies three
categories of risk to financial institutions
that offer RDC: operational, legal, and
compliance. The following discussion
identifies these risks and outlines effective
risk management strategies.

Operational Risks and Controls

The FFIEC guidance covers several
issues that require management attention.
Many of these risks relate directly to
the potential for fraud, while others may
also result in fraud in certain circumstances.
Some of the key risks are as
follows:

Redeposit of items/duplicate presentment

Alteration of deposited items/forged endorsement

Deposit of counterfeit items

Poor image quality

Safety and integrity of deposited items held by customers (i.e., protection of personal information)

Proper disposal of deposited items by customers

Customer authentication when accessing the RDC system

Data security of and lack of encryption in the RDC system

Reliability of the RDC vendor

Customer Screening

Customer screening is the single most
effective risk mitigation technique that
financial institutions should implement
when offering RDC. Not all customers
need RDC services, and not all
may qualify for them. The institution
should consider whether the customer
is a long-standing client with effective
management and close control of financial
processes or a new customer whose
business characteristics and transaction
history are relatively unknown.
Many financial institutions offering RDC
services require customers to maintain
minimum deposit balances to insulate
the institution from the risk of fraudulent
deposits or items that do not clear owing
to insufficient funds.

Financial institutions also should
consider the customer’s business line,
geographic location, and client base. In
evaluating a customer’s client base, the
institution should carefully scrutinize
those from higher-risk industries, such
as mail order or Internet retailers, adult
entertainment, offshore businesses,
and online gambling. These industries
have demonstrated a greater risk of
fraud and nonpayment than more traditional,
domestic, face-to-face businesses.
Customers that serve these higher-risk
businesses may not be appropriate
candidates for RDC or may be required
to maintain higher deposit balances or
agree to more stringent on-site audit
procedures.

To date, the federal financial institution
regulatory agencies have not observed
increased fraud rates related to RDC
services. In fact, the RDC fraud rate is
lower than the average for general item
processing.15 The consensus among the
agencies is that this is due primarily to
satisfactory customer screening on the
part of financial institutions offering
RDC.16

Monitoring and Reporting

Financial institutions should regularly
produce internal reports on the status
of their RDC service. For example, the
reports should cover duplicate deposits,
violations of deposit thresholds (the total
value of checks that may be deposited
daily via RDC), velocity metrics (the
number of items being deposited daily),
transaction dollar volume, return item
dollar volume, the number of checks
rejected owing to poor image quality
or other factors, and other adjustments
made after deposit owing to discrepancies
in the check amount. Management
should review these reports in a timely
manner, and any aberrations should be
addressed promptly within the institution
or with the customer or the RDC vendor.

Vendor Screening

Most banks offering RDC services work with a vendor that provides, installs, maintains, and updates the hardware and software. Although this is generally a sound approach, management should evaluate the track record of RDC vendors to ensure that they are reputable and competent. Financial institutions should look for vendors with experience in providing RDC services and should check references. Either the institution or the vendor should ensure that the customer’s employees are trained in the use of the RDC system. The FFIEC Outsourcing Technology Services Booklet contains information and recommendations on how financial institutions should screen, evaluate, and monitor technology vendors, including those providing RDC services.17

Customer Audits

After determining that a customer’s
business is suitable for RDC services,
the institution may consider evaluating the customer’s operational controls
(i.e., separation of duties, implementation
of dual controls, endorsement of
items to prevent redeposit, and secure
storage and disposal of original checks)
on-site; assessing how the customer’s
employees responsible for depositing
items will be trained; and reviewing the
physical and logical security measures
surrounding the RDC system. Confirming
that the customer securely stores
and disposes of the original paper checks
is particularly important as these items
contain sensitive financial information
(name, address, bank name, and account
number) that can be used by identity
thieves. In some cases, an independent
audit of the customer may be warranted.

Business Continuity Planning

The FFIEC requires every financial
institution to have a business continuity
plan (BCP) in place.18 If an institution
offers RDC, its BCP should describe
actions to be taken if the RDC system
fails and the steps to return the RDC
service to operation.

Change Control Processes

As is the case with any technology
system, RDC hardware, software, and
procedures will need to be updated
over time. Financial institutions and, if
appropriate, their RDC vendor should
have in place written change control
procedures (i.e., mutually agreed-upon
procedures governing how software and
hardware will be updated and how policies
will be revised) with all customers
using the RDC service. Thus, all parties
will be on the same page when software
or hardware is updated or policies and
procedures are revised. Change control
procedures can help avoid glitches from
checks not being deposited or funds not
being credited to the customer’s account.

Insurance

Financial institutions should investigate
whether commercial insurance coverage
is available to protect them from
liability in the event of problems with
the RDC service. Management will need
to determine whether the amount of
coverage available justifies the cost of the
insurance.

Legal Risks and Controls

When a bank accepts a check image
for deposit through its RDC system and
clears and settles the check, it exposes
itself to certain legal risks under the
Check 21 Act, Regulation CC,19 Regulation
J,20 and applicable state laws, as well
as under clearinghouse rules or other
agreements. Most legal risks associated
with offering RDC services can be mitigated
through the use of appropriate
contracts and customer agreements. The
RDC service agreement should describe
the responsibilities and liabilities of the
financial institution and its customer,
including record retention periods for
the original deposited items, physical
and logical security measures protecting
the RDC scanner, and proper disposal
of the original deposited items once the
retention period has expired. The agreement
also should describe the types of
items that can be deposited remotely,
individual item dollar limits, overall per-day
dollar limits, and minimum image
quality standards. The institution should
consider requiring a periodic audit of
RDC processes at the customer location
and, if so, include such terms in the
agreement. Banks also should ensure
that customer agreements describe the
policies and procedures that must be
followed at the customer’s RDC location,
including applicable operational controls
to help mitigate possible fraud, such as dual controls and appropriate separation
of duties.

Compliance Risks and Controls

Financial institutions must determine
whether and to what extent the use of
RDC systems increases exposure to
the risk of money laundering or other
suspicious activities. Institutions should
refer to the FFIEC Bank Secrecy Act/
Anti-Money Laundering Examination
Manual for a description of their responsibilities.21 In general, when less personal
interaction occurs between a bank and
its customers, or a bank’s ability to examine
financial instruments is limited, the
risk of violating laws and regulations in
these areas increases.

Financial institutions and their customers
are legally obligated to comply with
laws and regulations implemented to
help prevent and detect money laundering
and international terrorist financing.
Banks offering RDC services should
ensure their own Bank Secrecy Act
compliance experts or outside consultants,
if used, consider how these laws
and regulations may impact RDC and
develop policies, procedures, and
processes to mitigate this risk. Bank staff
responsible for RDC services should
receive appropriate training to ensure
compliance with bank policies and
procedures as well as existing laws and
regulations.

Conclusion

Because of the significant business
advantages provided through the use of
RDC, the number of financial institutions
offering RDC services and the number
of customers using these services are
expected to continue to increase in the
near term. However, along with the advantages comes the responsibility of
bank management and examiners to be
aware of the risks associated with providing
RDC services and how those risks
should be mitigated.

The primary risks are operational,
specifically the risk of fraud, and these
risks can be mitigated by using effective
risk management techniques, such
as those outlined in the FFIEC guidance.
These techniques are not costly or
complex, and they can easily be implemented
by both large and small banks.
All risk management strategies described
in this article should be considered;
however, customer screening is the first
step financial institutions should take
when deciding to provide RDC services
to a particular customer.

Future Prospects

When considering what lies ahead for
the use of RDC technology in the longer
term, institutions should note that the
number of checks being written in this
country has declined steadily since 1995.
Conversely, the number of electronic
payments has grown, and as of 2003,
exceeded the number of checks for the
first time. These statistics suggest that
RDC may be a “gap” technology that
perhaps will exist only for the next five to
ten years.

In the very near future, financial institutions
may apply RDC technology in other
ways to reduce deposit-processing costs
and expand their deposit base. The first
way is making RDC available to retail
customers in their homes. Consumers
would not need to visit a branch or ATM
to deposit checks, but rather would
simply run the check through a scanner
connected to a personal computer with
Internet access.22

The second is offering RDC to mobile
professionals who travel to client sites
and are paid in person by check. The
technology exists to enable these individuals
to deposit checks at a client’s
location or in their car using a cell phone
camera.23 Although neither of these applications
is now in widespread use, both
suggest intriguing opportunities for the
future of RDC for banks and customers
alike.

11 Financial institutions generally recommend specialized scanners that read a check’s magnetic ink character recognition line and optical character recognition to determine the dollar amount of the check in characters and words.